Air-Gapped Computers Can Communicate Through Heat: Researchers

Researchers at the Ben Gurion University in Israel have demonstrated that two computers in close proximity to each other can communicate using heat emissions and built-in thermal sensors.

In an experimental scenario involving two debitvices placed at up to 15 inches from each other, researchers have managed to transmit up to 8 bits of data per hour, which is enough for exfiltrating sensitive data such as passwords and secret keys, and for sending commands. This novel attack method has been dubbed BitWhisper.

It is not uncommon for organizations that handle highly sensitive information to isolate certain computers in order to protect valuable assets. Air-gap security is often used for industrial control systems (ICS) and military networks. However, as it has been demonstrated before, such as in the case of the notorious Stuxnet worm which targeted Iranian nuclear facilities, air-gap security can be breached.

Over the past months, Ben Gurion University researchers have analyzed several techniques that can be leveraged to exfiltrate data from an air-gapped computer, including by using radio signals emitted by a device’s graphics card, and by using a multifunctional printer to receive and transmit data.

Now, experts have demonstrated that a bidirectional communication channel can be established between two standard computers by using the heat emitted by various components, such as the CPU and the GPU. An attacker simply needs to plant a piece of malware on each of the PCs that need to communicate.

In their experimental scenario, researchers placed two computers parallel to each other on a desk located in a standard office environment. One of the devices was connected to the Internet, while the other was connected to the internal network. This is a common scenario in many organizations where employees are required to carry out sensitive tasks on an air-gapped system while still needing access to the Internet.

Infecting the Internet-connected device with malware is not a difficult task. As demonstrated numerous times before, a piece of malware can be easily delivered using spear-phishing emails and social engineering techniques. Planting a threat on an isolated system is possible through attacks on the supply chain, infected USB drives, or with the aid of malicious insiders, researchers explained in a paper that will be published in the upcoming days.

Once the malware is in place on both computers, heating patterns are generated on the sender device by controlling the CPU or GPU workload, which results in modifications in temperature. In the meantime, the receiving PC monitors the temperature changes using the thermal sensors built into the CPU, the GPU, the motherboard, or other components.

“BitWhisper establishes a covert channel by emitting heat from one PC to the other in a controlled manner. By regulating the heating patterns, binary data is modulated into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and demodulated into binary data,” researchers explained.

While BitWhisper is highly complex, with numerous variables that must be taken into consideration for the attack to be successful, the method doesn’t require any dedicated or modified hardware, experts noted.

In addition to stealing sensitive information from air-gapped devices, the BitWhisper method can also be used for a worm attack or to send malicious commands to isolated ICS.

“After infecting the networks, the malware spreads over both networks and searches the surroundings for additional PCs within close proximity, spatially. Proximity is determined by periodically sending ‘thermal pings’ over the air,” researchers explained. “Once a bridging attempt is successful, a logical link between the public network and the internal network in established. At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses.”

In a video demonstrating the capabilities of a BitWhisper prototype, researchers have used a USB missile launcher to shown that one air-gapped computer can send commands to another air-gapped device using only thermal radiation.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.